Establishing Trusted Channels for Confidential Workloads

Loading...
Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Date
2024
Department
Major/Subject
Security and Cloud Computing
Mcode
SCI3113
Degree programme
Master’s Programme in Security and Cloud Computing (SECCLO)
Language
en
Pages
56
Series
Abstract
Confidential Computing protects data in-use by leveraging hardware-based, attested Trusted Execution Environments (TEEs). It is being rapidly adopted, with design specifications and hardware implementations emerging from all major platform vendors. The market for Confidential Computing is projected to reach $131 billion by 2030. The Confidential Containers (CoCo) project integrates Confidential Computing with existing cloud technologies to enhance adoption. A crucial aspect of Confidential Computing is the establishment of trusted channels, which maintains the confidentiality and integrity of data, similar to a secure channel, while also assuring other machines of the container to which they are connecting and what software it contains. In this thesis, we propose a trusted channel protocol based on WireGuard, integrated with the CoCo project, alongside a method for workload attestation. We implement a proof of concept for the upcoming Arm Confidential Computing Architecture (CCA) platform. Our implementation allows trusted channels between containers and unmodified client applications with an additional latency of just 1.5 s, incurred only during the initial establishment of the trusted channel.
Description
Supervisor
Francillon, Aurélien
Thesis advisor
Sovio, Sampo
Keywords
remote attestation, confidential computing, trusted channel, confidential containers, arm CCA, VPN
Other note
Citation